Smilez78 Posted December 3, 2008 ID:37715 Share Posted December 3, 2008 OK hopefully I'm doing this right. My husband is the computer whiz around here and he's working to much to have time to do this so I'm giving it a try. Thanks in advance for any and all help.MBAM ScanMalwarebytes' Anti-Malware 1.30Database version: 1454Windows 5.1.2600 Service Pack 312/3/2008 12:45:58 PMmbam-log-2008-12-03 (12-45-58).txtScan type: Quick ScanObjects scanned: 61829Time elapsed: 8 minute(s), 30 second(s)Memory Processes Infected: 0Memory Modules Infected: 2Registry Keys Infected: 3Registry Values Infected: 5Registry Data Items Infected: 2Folders Infected: 0Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\kirenalo.dll (Trojan.Vundo.H) -> Delete on reboot.c:\WINDOWS\system32\dogatidi.dll (Trojan.BHO) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\606e8ec3 (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm635dbd5f (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ganopotofo (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\dogatidi.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\dogatidi.dll -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\kirenalo.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\olanerik.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\zebelivu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\uvilebez.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.c:\WINDOWS\system32\dogatidi.dll (Trojan.BHO) -> Delete on reboot. Link to post Share on other sites More sharing options...
Tigger93 Posted December 3, 2008 ID:37764 Share Posted December 3, 2008 Hi. Please restart your computer, update MalwareBytes, scan again and post the log. Link to post Share on other sites More sharing options...
Smilez78 Posted December 3, 2008 Author ID:37772 Share Posted December 3, 2008 I accidentally double posted here Link to post Share on other sites More sharing options...
Smilez78 Posted December 4, 2008 Author ID:37857 Share Posted December 4, 2008 Ok updated again after my husband decided to attempt to play with things. I Link to post Share on other sites More sharing options...
Tigger93 Posted December 5, 2008 ID:38059 Share Posted December 5, 2008 Hi.Don't worry about the Panda scan, we don't need it.Please find this file:C:\WINDOWS\system32\titodopu.dllZip them up and attack that zipped file here in a new topic with a link to this thread. I will get back to you once they have been analyzed. Link to post Share on other sites More sharing options...
Smilez78 Posted December 5, 2008 Author ID:38141 Share Posted December 5, 2008 I can't seem to find that file now. I even did a search for it. Now What? Link to post Share on other sites More sharing options...
nosirrah Posted December 5, 2008 ID:38145 Share Posted December 5, 2008 I was not expecting it to be there , MBAM does not always hook files up correctly with those two default SIDs and as a result file to 04 run does not always take them out . Link to post Share on other sites More sharing options...
Smilez78 Posted December 5, 2008 Author ID:38274 Share Posted December 5, 2008 OK then what should I do next. Anything? Link to post Share on other sites More sharing options...
Tigger93 Posted December 5, 2008 ID:38290 Share Posted December 5, 2008 Hi there. Open open notepad and copy and paste in the following:MD "%USERPROFILE%"\desktop\malware xcopy C:\WINDOWS\system32\titodopu.dll "%USERPROFILE%"\desktop\malware /c /q /r /h /y Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*Save it as getmalware.bat to the desktop and double-click on it to run it. It will create a folder called malware on your desktop. Please zip up this folder and upload it. Link to post Share on other sites More sharing options...
Smilez78 Posted December 6, 2008 Author ID:38325 Share Posted December 6, 2008 I did exactly what you said it made a folder and it is empty????Misty Link to post Share on other sites More sharing options...
Tigger93 Posted December 6, 2008 ID:38416 Share Posted December 6, 2008 Please update Malwarebytes and post the new log. Link to post Share on other sites More sharing options...
Smilez78 Posted December 6, 2008 Author ID:38473 Share Posted December 6, 2008 Here's the new MBAM log:Malwarebytes' Anti-Malware 1.31Database version: 1467Windows 5.1.2600 Service Pack 312/6/2008 2:21:20 PMmbam-log-2008-12-06 (14-21-20).txtScan type: Quick ScanObjects scanned: 62699Time elapsed: 10 minute(s), 1 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Tigger93 Posted December 6, 2008 ID:38478 Share Posted December 6, 2008 Can you please post a new HJT log? Link to post Share on other sites More sharing options...
Smilez78 Posted December 8, 2008 Author ID:38769 Share Posted December 8, 2008 Here's the new HJT Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:08:24 PM, on 12/7/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18241)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\KONICA MINOLTA\PageScope Net Care\JavaService.exeC:\WINDOWS\system32\PSIService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft IntelliPoint\point32.exeC:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\PowerISO\PWRISOVM.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exeC:\Program Files\BUFFALO\Client Manager3\cm3_tray.exeC:\Program Files\Nikon\PictureProject\NkbMonitor.exeC:\Program Files\Windows Desktop Search\WindowsSearch.exeC:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBRR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBRO1 - Hosts: 127.255.255.255 serial.alcohol-soft.comO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dllO2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dllO3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dllO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [KM Status] "C:\Program Files\KONICA MINOLTA\Status Monitor\KMSM.EXE" startupO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe rO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [WallpaperSlideShow] "C:\Program Files\PearlMountain Soft\PM Wallpaper Slideshow\WallpaperSlideShow.exe"O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologonO4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hiddenO4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofileO4 - HKUS\S-1-5-19\..\Run: [ganopotofo] Rundll32.exe "C:\WINDOWS\system32\titodopu.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [ganopotofo] Rundll32.exe "C:\WINDOWS\system32\titodopu.dll",s (User 'NETWORK SERVICE')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exeO4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exeO4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dllO9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dllO9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dllO9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dllO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cabO16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocxO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cabO16 - DPF: {BBF89515-EDB6-4236-8FBB-B6045290076D} (Image Uploader ShellCombo Control) - http://c.ancestry.com/trees/upload/ImageUploader4.cabO16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.mpix.com/Customer/Uploading/act...geUploader4.cabO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Intel® Desktop Utilities Service (iHCService) - Unknown owner - C:\Program Files\Intel\IDU\IDUServ.exe (file missing)O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: KONICA MINOLTA PageScope Net Care (PageScope Net Care Service) - Unknown owner - C:\Program Files\KONICA MINOLTA\PageScope Net Care\JavaService.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exeO23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe--End of file - 10841 bytes Link to post Share on other sites More sharing options...
Tigger93 Posted December 8, 2008 ID:38956 Share Posted December 8, 2008 Hi.Open HijackThis and put a check next to these:O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKUS\S-1-5-19\..\Run: [ganopotofo] Rundll32.exe "C:\WINDOWS\system32\titodopu.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [ganopotofo] Rundll32.exe "C:\WINDOWS\system32\titodopu.dll",s (User 'NETWORK SERVICE')O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)Click Fix Checked and close HJT.Restart your computer and post a new HJT log please. Link to post Share on other sites More sharing options...
Recommended Posts